Amazon DataZone 的靜態資料加密 - Amazon DataZone
Amazon DataZone 如何在 AWS KMS 中使用授予建立客戶受管金鑰指定 Amazon DataZone 的客戶受管金鑰Amazon DataZone 加密內容監控 Amazon DataZone 的加密金鑰建立涉及加密 Glue AWS 目錄的 Data Lake 環境

本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。

Amazon DataZone 的靜態資料加密

依預設加密靜態資料,有助於降低保護敏感資料所涉及的營運開銷和複雜性。同時,其可讓您建置符合嚴格加密合規性和法規要求的安全應用程式。

Amazon DataZone 使用預設擁有 AWS的金鑰自動加密靜態資料。您無法檢視、管理或稽核 AWS 擁有金鑰的使用。如需詳細資訊,請參閱 AWS 擁有的金鑰

雖然您無法停用此層加密或選取替代加密類型,但您可以在建立 Amazon DataZone 網域時選擇客戶受管金鑰。Amazon DataZone 支援使用對稱客戶受管金鑰,您可以建立、擁有和管理這些金鑰。由於您可以完全控制加密,因此您可以執行下列任務:

  • 建立和維護金鑰政策

  • 建立和維護 IAM 政策和授權

  • 啟用和停用金鑰政策

  • 輪換金鑰密碼編譯材料

  • 新增標籤

  • 建立金鑰別名

  • 排程要刪除的金鑰

若要使用您自己的金鑰,請在建立 Amazon DataZone 網域時選擇客戶受管金鑰。

如需詳細資訊,請參閱客戶受管金鑰

注意

Amazon DataZone 會使用 AWS 擁有的金鑰自動啟用靜態加密,以免費保護客戶資料。

AWS 使用客戶受管金鑰需支付 KMS 費用。如需定價的詳細資訊,請參閱 AWS Key Management Service 定價

Amazon DataZone 如何在 AWS KMS 中使用授予

Amazon DataZone 需要兩個授權才能使用您的客戶受管金鑰。當您建立以客戶受管金鑰加密的 Amazon DataZone 網域時,Amazon DataZone 會透過傳送 CreateGrant 請求至 AWS KMS 來代表您建立授予。 AWS KMS 中的授權用於讓 Amazon DataZone 存取您帳戶中的 KMS 金鑰。Amazon DataZone 會建立下列授予,以將客戶受管金鑰用於下列內部操作:

為下列操作加密靜態資料的一項授予:

  • DescribeKey 請求傳送至 AWS KMS,以驗證建立 Amazon DataZone 網域時輸入的對稱客戶受管 KMS 金鑰 ID 是否有效。

  • GenerateDataKey 傳送至 AWS KMS,以產生由客戶受管金鑰加密的資料金鑰。

  • 傳送解密請求可讓 Amazon DataZone 解密儲存的資料。

  • RetireGrant 在刪除網域時淘汰授予。

一種資料搜尋和探索的授權:

  • DescribeKey - 提供客戶受管金鑰詳細資訊,允許 Amazon DataZone 驗證金鑰。

  • Decrypt - 允許 Amazon DataZone 解密儲存的資料。

您可以隨時撤銷對客戶受管金鑰授予的存取權。如果您這麼做,Amazon DataZone 將無法存取客戶受管金鑰加密的任何資料,這會影響相依於該資料的操作。

建立客戶受管金鑰

您可以使用 AWS 管理主控台或 AWS KMS APIs 來建立對稱客戶受管金鑰。

若要建立對稱客戶受管金鑰,請遵循 AWS Key Management Service 開發人員指南中建立對稱客戶受管金鑰的步驟。

金鑰政策 - 金鑰政策控制對客戶受管金鑰的存取。每個客戶受管金鑰都必須只有一個金鑰政策,其中包含決定誰可以使用金鑰及其使用方式的陳述式。在建立客戶受管金鑰時,可以指定金鑰政策。如需詳細資訊,請參閱 AWS Key Management Service 開發人員指南中的管理對客戶受管金鑰的存取

若要將客戶受管金鑰與 Amazon DataZone 資源搭配使用,必須在金鑰政策中允許下列 API 操作:

  • kms:CreateGrant – 將授予新增至客戶受管金鑰。授予控制對指定 KMS 金鑰的存取權,以允許存取 Amazon DataZone 所需的授予操作。如需使用授權的詳細資訊,請參閱 AWS Key Management Service 開發人員指南。

  • kms:DescribeKey – 提供客戶受管金鑰詳細資訊,以允許 Amazon DataZone 驗證金鑰。

  • kms:GenerateDataKey – 傳回用於 AWS KMS 外部的唯一對稱資料金鑰。

  • kms:Decrypt – 解密 KMS 金鑰加密的加密文字。

以下是您可以為 Amazon DataZone 新增的政策陳述式範例:


"Statement": [
    {
      "Sid": "Enable IAM User Permissions for DescribeKey",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::111122223333:root"
      },
      "Action": "kms:DescribeKey",
      "Resource": "arn:aws:kms:region:111122223333:key/key_ID"
    },
    {
      "Sid": "Allow access to principals authorized to manage Amazon DataZone",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::111122223333:root"
      },
      "Action": [
        "kms:Decrypt",
        "kms:GenerateDataKey"
      ],
      "Resource": "arn:aws:kms:region:111122223333:key/key_ID",
      "Condition": {
        "ForAnyValue:StringEquals": {
          "kms:EncryptionContextKeys": "aws:datazone:domainId"
        }
      }
    },
    {
      "Sid": "Allow creating grants when creating an Amazon DataZone for all principals in the account that are authorized to manage Amazon DataZone",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::111122223333:root"
      },
      "Action": "kms:CreateGrant",
      "Resource": "arn:aws:kms:region:111122223333:key/key_ID",
      "Condition": {
        "StringLike": {
          "kms:CallerAccount": "111122223333",
          "kms:ViaService": "datazone.region.amazonaws.com"
        },
        "Bool": {
          "kms:GrantIsForAWSResource": "true"
        },
        "ForAnyValue:StringEquals": {
          "kms:EncryptionContextKeys": "aws:datazone:domainId"
        }
      }
    }
]
注意

Amazon DataZone 資料入口網站會透過網域執行角色主體授予客戶受管金鑰的存取權。

如需在政策中指定許可的詳細資訊,請參閱 AWS Key Management Service 開發人員指南。

如需對金鑰存取進行疑難排解的詳細資訊,請參閱 AWS Key Management Service 開發人員指南。

指定 Amazon DataZone 的客戶受管金鑰

您可以在網域建立期間,將客戶受管金鑰指定為第二層加密。

Amazon DataZone 加密內容

加密內容是一組選用的金鑰值對,包含資料的其他相關內容資訊。

AWS KMS 使用加密內容做為額外的已驗證資料,以支援已驗證的加密。當您在加密資料的請求中包含加密內容時, AWS KMS 會將加密內容繫結至加密的資料。若要解密資料,您必須在請求中包含相同的加密內容。

Amazon DataZone 使用以下加密內容:


"encryptionContextSubset": {
    "aws:datazone:domainId": "{dzd_samleid}"
}

使用加密內容進行監控 - 當您使用對稱客戶受管金鑰加密 Amazon DataZone 時,您也可以在稽核記錄和日誌中使用加密內容來識別客戶受管金鑰的使用方式。加密內容也會出現在 AWS CloudTrail 或 Amazon CloudWatch Logs 產生的日誌中。

使用加密內容來控制對客戶受管金鑰的存取 - 您可以使用金鑰政策和 IAM 政策中的加密內容作為條件,以控制對對稱客戶受管金鑰的存取。您也可以在授予中使用加密內容條件。

Amazon DataZone 在授予中使用加密內容限制,以控制對您帳戶或區域中客戶受管金鑰的存取。授予條件會要求授予允許的操作使用指定的加密內容。

以下是授予特定加密內容之客戶受管金鑰存取權的金鑰政策陳述式範例。


 {
      "Sid": "Enable DescribeKey",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::111122223333:role/ExampleRole"
      },
      "Action": "kms:DescribeKey",
      "Resource": "arn:aws:kms:region:111122223333:key/key_ID"
    },
    {
      "Sid": "Allow access to principal to manage an Amazon DataZone domain with the given domain id",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::111122223333:role/ExampleRole"
      },
      "Action": [
        "kms:Decrypt",
        "kms:GenerateDataKey"
      ],
      "Resource": "arn:aws:kms:region:111122223333:key/key_ID",
      "Condition": {
        "StringEquals": {
          "kms:EncryptionContext:aws:datazone:domainId": "dzd_sampleid"
        }
      }
    },
    {
      "Sid": "Allow creating grants when creating an Amazon DataZone domain to principal",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::111122223333:role/ExampleRole"
      },
      "Action": "kms:CreateGrant",
      "Resource": "arn:aws:kms:region:111122223333:key/key_ID",
      "Condition": {
        "StringLike": {
          "kms:CallerAccount": "111122223333",
          "kms:ViaService": "datazone.region.amazonaws.com"
        },
        "Bool": {
          "kms:GrantIsForAWSResource": "true"
        },
        "ForAnyValue:StringEquals": {
          "kms:EncryptionContextKeys": "aws:datazone:domainId"
        }
      }
    }

監控 Amazon DataZone 的加密金鑰

當您搭配 Amazon DataZone 資源使用 AWS KMS 客戶受管金鑰時,您可以使用 AWS CloudTrail 追蹤 Amazon DataZone 傳送至 AWS KMS 的請求。下列範例是 CreateGrantDecryptGenerateDataKey和 的 AWS CloudTrail 事件RetireGrant,用於監控 Amazon DataZone 呼叫的 KMS 操作,以存取客戶受管金鑰加密的資料。

CreateGrant

當您使用 AWS KMS 客戶受管金鑰加密 Amazon DataZone 網域時,Amazon DataZone 會代表您傳送CreateGrant請求,以存取您 AWS 帳戶中的 KMS 金鑰。Amazon DataZone 建立的授予專屬於與 AWS KMS 客戶受管金鑰相關聯的資源。此外,Amazon DataZone 會在您刪除網域時,使用 RetireGrant操作移除授予。

下面的範例事件會記錄 CreateGrant 操作:


{
    "eventVersion": "1.11",
    "userIdentity": {
        "type": "AssumedRole",
        "principalId": "AROAIGDTESTANDEXAMPLE:Sampleuser01",
        "arn": "arn:aws:sts::111122223333:assumed-role/Example/Sampleuser01",
        "accountId": "111122223333",
        "accessKeyId": "AKIAIOSFODNN7EXAMPLE3",
        "sessionContext": {
            "sessionIssuer": {
                "type": "Role",
                "principalId": "AROAIGDTESTANDEXAMPLE",
                "arn": "arn:aws:iam::111122223333:role/Example",
                "accountId": "111122223333",
                "userName": "Example"
            },
            "attributes": {
                "creationDate": "2024-04-22T17:02:00Z",
                "mfaAuthenticated": "false"
            }
        },
        "invokedBy": "datazone.amazonaws.com"
    },
    "eventTime": "2024-04-22T17:02:00Z",
    "eventSource": "kms.amazonaws.com",
    "eventName": "CreateGrant",
    "awsRegion": "us-east-2",
    "sourceIPAddress": "datazone.amazonaws.com",
    "userAgent": "datazone.amazonaws.com",
    "requestParameters": {
        "retiringPrincipal": "datazone.us-east-2.amazonaws.com",
        "operations": [
            "GenerateDataKey",
            "RetireGrant",
            "DescribeKey",
            "Decrypt"
        ],
        "granteePrincipal": "datazone.us-east-2.amazonaws.com",
        "constraints": {
            "encryptionContextSubset": {
                "aws:datazone:domainId": "dzd_sampleid"
            }
        },
        "keyId": "arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-123456SAMPLE"
    },
    "responseElements": {
        "grantId": "0ab0ac0d0b000f00ea00cc0a0e00fc00bce000c000f0000000c0bc0a0000aaafSAMPLE",
        "keyId": "arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-123456SAMPLE"
    },
    "requestID": "ff000af-00eb-00ce-0e00-ea000fb0fba0SAMPLE",
    "eventID": "ff000af-00eb-00ce-0e00-ea000fb0fba0SAMPLE",
    "readOnly": false,
    "resources": [
        {
            "accountId": "111122223333",
            "type": "AWS::KMS::Key",
            "ARN": "arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-123456SAMPLE"
        }
    ],
    "eventType": "AwsApiCall",
    "managementEvent": true,
    "recipientAccountId": "111122223333",
    "eventCategory": "Management",
    "sessionCredentialFromConsole": "true"
}
            

{
    "eventVersion": "1.11",
    "userIdentity": {
        "type": "AssumedRole",
        "principalId": "AROAIGDTESTANDEXAMPLE:Sampleuser01",
        "arn": "arn:aws:sts::111122223333:assumed-role/Example/Sampleuser01",
        "accountId": "111122223333",
        "accessKeyId": "AKIAIOSFODNN7EXAMPLE3",
        "sessionContext": {
            "sessionIssuer": {
                "type": "Role",
                "principalId": "AROAIGDTESTANDEXAMPLE",
                "arn": "arn:aws:iam::111122223333:role/Example",
                "accountId": "111122223333",
                "userName": "Example"
            },
            "attributes": {
                "creationDate": "2024-04-22T17:10:00Z",
                "mfaAuthenticated": "false"
            }
        },
        "invokedBy": "datazone.amazonaws.com"
    },
    "eventTime": "2024-04-22T17:49:00Z",
    "eventSource": "kms.amazonaws.com",
    "eventName": "CreateGrant",
    "awsRegion": "us-east-2",
    "sourceIPAddress": "datazone.amazonaws.com",
    "userAgent": "datazone.amazonaws.com",
    "requestParameters": {
        "retiringPrincipal": "datazone.us-east-2.amazonaws.com",
        "operations": [
            "DescribeKey",
            "Decrypt"
        ],
        "granteePrincipal": "datazone.us-east-2.amazonaws.com",
        "constraints": {
            "encryptionContextSubset": {
                "aws:datazone:domainId": "dzd_sampleid"
            }
        },
        "keyId": "arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-123456SAMPLE"
    },
    "responseElements": {
        "grantId": "0ab0ac0d0b000f00ea00cc0a0e00fc00bce000c000f0000000c0bc0a0000aaafSAMPLE",
        "keyId": "arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-123456SAMPLE"
    },
    "requestID": "ff000af-00eb-00ce-0e00-ea000fb0fba0SAMPLE",
    "eventID": "ff000af-00eb-00ce-0e00-ea000fb0fba0SAMPLE",
    "readOnly": false,
    "resources": [
        {
            "accountId": "111122223333",
            "type": "AWS::KMS::Key",
            "ARN": "arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-123456SAMPLE"
        }
    ],
    "eventType": "AwsApiCall",
    "managementEvent": true,
    "recipientAccountId": "111122223333",
    "eventCategory": "Management",
    "sessionCredentialFromConsole": "true"
}
GenerateDataKey

當您為 Amazon DataZone 網域啟用 AWS KMS 客戶受管金鑰時,Amazon DataZone 會產生資料金鑰。它向 AWS KMS 傳送GenerateDataKey請求,指定網域的 AWS KMS 客戶受管金鑰。

下列範例事件會記錄 GenerateDataKey 操作:


{
    "eventVersion": "1.11",
    "userIdentity": {
        "type": "AssumedRole",
        "principalId": "AROAIGDTESTANDEXAMPLE:AmazonSageMakerDomainExecution",
        "arn": "arn:aws:sts::111122223333:assumed-role/AmazonSageMakerDomainExecution/AmazonSageMakerDomainExecution",
        "accountId": "111122223333",
        "accessKeyId": "AKIAIOSFODNN7EXAMPLE3",
        "sessionContext": {
            "sessionIssuer": {
                "type": "Role",
                "principalId": "AROAIGDTESTANDEXAMPLE",
                "arn": "arn:aws:iam::111122223333:role/service-role/AmazonSageMakerDomainExecution",
                "accountId": "111122223333",
                "userName": "AmazonSageMakerDomainExecution"
            },
            "attributes": {
                "creationDate": "2024-04-22T19:50:39Z",
                "mfaAuthenticated": "false"
            }
        },
        "invokedBy": "datazone.amazonaws.com"
    },
    "eventTime": "2024-04-22T19:50:40Z",
    "eventSource": "kms.amazonaws.com",
    "eventName": "GenerateDataKey",
    "awsRegion": "us-east-2",
    "sourceIPAddress": "datazone.amazonaws.com",
    "userAgent": "datazone.amazonaws.com",
    "requestParameters": {
        "keySpec": "AES_256",
        "encryptionContext": {
            "aws:datazone:domainId": "dzd_sampleid",
            "V": "2024-04-22T17:49:12.98177136Z|cacf3df7-7b99-49f6-ae14-sample",
            "version": "0",
            "N": "dzd_sampleid|arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-123456SAMPLE",
            "*aws-kms-table*": "awsdatazoneroaring-data-store-datakeys-prod-us-east-2"
        },
        "keyId": "arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-123456SAMPLE"
    },
    "responseElements": null,
    "requestID": "ff000af-00eb-00ce-0e00-ea000fb0fba0SAMPLE",
    "eventID": "ff000af-00eb-00ce-0e00-ea000fb0fba0SAMPLE",
    "readOnly": true,
    "resources": [
        {
            "accountId": "111122223333",
            "type": "AWS::KMS::Key",
            "ARN": "arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-123456SAMPLE"
        }
    ],
    "eventType": "AwsApiCall",
    "managementEvent": true,
    "recipientAccountId": "111122223333",
    "eventCategory": "Management"
}        
         

{
    "eventVersion": "1.11",
    "userIdentity": {
        "type": "AWSService",
        "invokedBy": "AWS Internal"
    },
    "eventTime": "2024-04-22T19:50:40Z",
    "eventSource": "kms.amazonaws.com",
    "eventName": "GenerateDataKey",
    "awsRegion": "us-east-2",
    "sourceIPAddress": "AWS Internal",
    "userAgent": "AWS Internal",
    "requestParameters": {
        "encryptionContext": {
            "aws:datazone:domainId": "dzd_sampleid",
            "aws:s3:arn": "arn:aws:s3:::amazon-datazone-us-east-2-422ceee9465430bdb354d1c9efsample"
        },
        "keyId": "arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-123456SAMPLE",
        "keySpec": "AES_256"
    },
    "responseElements": null,
    "requestID": "ff000af-00eb-00ce-0e00-ea000fb0fba0SAMPLE",
    "eventID": "ff000af-00eb-00ce-0e00-ea000fb0fba0SAMPLE",
    "readOnly": true,
    "resources": [
        {
            "accountId": "111122223333",
            "type": "AWS::KMS::Key",
            "ARN": "arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-123456SAMPLE"
        }
    ],
    "eventType": "AwsApiCall",
    "managementEvent": true,
    "recipientAccountId": "111122223333",
    "sharedEventID": "ff000af-00eb-00ce-0e00-ea000fb0fba0SAMPLE",
    "eventCategory": "Management"
}
Decrypt

當您存取加密的 Amazon DataZone 網域時,Amazon DataZone 會呼叫 Decrypt操作,以使用儲存的加密資料金鑰來存取加密的資料。

下面的範例事件會記錄 Decrypt 操作:


{
    "eventVersion": "1.11",
    "userIdentity": {
        "type": "AssumedRole",
        "principalId": "AROAIGDTESTANDEXAMPLE:AmazonSageMakerDomainExecution",
        "arn": "arn:aws:sts::111122223333:assumed-role/AmazonSageMakerDomainExecution/AmazonSageMakerDomainExecution",
        "accountId": "111122223333",
        "accessKeyId": "AKIAIOSFODNN7EXAMPLE3",
        "sessionContext": {
            "sessionIssuer": {
                "type": "Role",
                "principalId": "AROAIGDTESTANDEXAMPLE",
                "arn": "arn:aws:iam::111122223333:role/service-role/AmazonSageMakerDomainExecution",
                "accountId": "111122223333",
                "userName": "AmazonSageMakerDomainExecution"
            },
            "attributes": {
                "creationDate": "2024-04-22T19:50:39Z",
                "mfaAuthenticated": "false"
            }
        },
        "invokedBy": "datazone.amazonaws.com"
    },
    "eventTime": "2024-04-22T19:51:54Z",
    "eventSource": "kms.amazonaws.com",
    "eventName": "Decrypt",
    "awsRegion": "us-east-2",
    "sourceIPAddress": "datazone.amazonaws.com",
    "userAgent": "datazone.amazonaws.com",
    "requestParameters": {
        "encryptionAlgorithm": "SYMMETRIC_DEFAULT",
        "encryptionContext": {
            "aws:datazone:domainId": "dzd_sampleid",
            "V": "2024-04-22T17:49:12.98177136Z|cacf3df7-7b99-49f6-ae14-sample",
            "version": "0",
            "N": "dzd_sampleid|arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-123456SAMPLE",
            "*aws-kms-table*": "awsdatazoneroaring-data-store-datakeys-prod-us-east-2"
        }
    },
    "responseElements": null,
    "requestID": "ff000af-00eb-00ce-0e00-ea000fb0fba0SAMPLE",
    "eventID": "ff000af-00eb-00ce-0e00-ea000fb0fba0SAMPLE",
    "readOnly": true,
    "resources": [
        {
            "accountId": "111122223333",
            "type": "AWS::KMS::Key",
            "ARN": "arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-123456SAMPLE"
        }
    ],
    "eventType": "AwsApiCall",
    "managementEvent": true,
    "recipientAccountId": "111122223333",
    "eventCategory": "Management"
}
            

{
    "eventVersion": "1.11",
    "userIdentity": {
        "type": "AWSService",
        "invokedBy": "datazone.amazonaws.com"
    },
    "eventTime": "2024-04-22T19:51:54Z",
    "eventSource": "kms.amazonaws.com",
    "eventName": "Decrypt",
    "awsRegion": "us-east-2",
    "sourceIPAddress": "datazone.amazonaws.com",
    "userAgent": "datazone.amazonaws.com",
    "requestParameters": {
        "encryptionContext": {
            "aws:datazone:domainId": "dzd_sampleid",
            "V": "2024-04-22T17:49:12.98177136Z|cacf3df7-7b99-49f6-ae14-sample",
            "version": "0",
            "N": "dzd_sampleid|arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-123456SAMPLE",
            "*aws-kms-table*": "awsdatazoneroaring-data-store-datakeys-prod-us-east-2"
        },
        "encryptionAlgorithm": "SYMMETRIC_DEFAULT"
    },
    "responseElements": null,
    "requestID": "ff000af-00eb-00ce-0e00-ea000fb0fba0SAMPLE",
    "eventID": "ff000af-00eb-00ce-0e00-ea000fb0fba0SAMPLE",
    "readOnly": true,
    "resources": [
        {
            "accountId": "111122223333",
            "type": "AWS::KMS::Key",
            "ARN": "arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-123456SAMPLE"
        }
    ],
    "eventType": "AwsApiCall",
    "managementEvent": true,
    "recipientAccountId": "111122223333",
    "sharedEventID": "ff000af-00eb-00ce-0e00-ea000fb0fba0SAMPLE",
    "eventCategory": "Management"
}
            

{
    "eventVersion": "1.11",
    "userIdentity": {
        "type": "AWSService",
        "invokedBy": "AWS Internal"
    },
    "eventTime": "2024-04-22T19:51:54Z",
    "eventSource": "kms.amazonaws.com",
    "eventName": "Decrypt",
    "awsRegion": "us-east-2",
    "sourceIPAddress": "AWS Internal",
    "userAgent": "AWS Internal",
    "requestParameters": {
        "encryptionAlgorithm": "SYMMETRIC_DEFAULT",
        "encryptionContext": {
            "aws:datazone:domainId": "dzd_sampleid",
            "aws:s3:arn": "arn:aws:s3:::amazon-datazone-us-east-2-422ceee9465430bdb354d1c9efsample"
        }
    },
    "responseElements": null,
    "requestID": "ff000af-00eb-00ce-0e00-ea000fb0fba0SAMPLE",
    "eventID": "ff000af-00eb-00ce-0e00-ea000fb0fba0SAMPLE",
    "readOnly": true,
    "resources": [
        {
            "accountId": "111122223333",
            "type": "AWS::KMS::Key",
            "ARN": "arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-123456SAMPLE"
        }
    ],
    "eventType": "AwsApiCall",
    "managementEvent": true,
    "recipientAccountId": "111122223333",
    "sharedEventID": "ff000af-00eb-00ce-0e00-ea000fb0fba0SAMPLE",
    "eventCategory": "Management"
}
RetireGrant

下面的範例事件會記錄 RetireGrant 操作:


{
    "eventVersion": "1.11",
    "userIdentity": {
        "type": "AWSService",
        "invokedBy": "datazone.amazonaws.com"
    },
    "eventTime": "2025-04-29T22:18:50Z",
    "eventSource": "kms.amazonaws.com",
    "eventName": "RetireGrant",
    "awsRegion": "us-east-2",
    "sourceIPAddress": "datazone.amazonaws.com",
    "userAgent": "datazone.amazonaws.com",
    "requestParameters": null,
    "responseElements": {
        "keyId": "arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-123456SAMPLE"
    },
    "additionalEventData": {
        "grantId": "0ab0ac0d0b000f00ea00cc0a0e00fc00bce000c000f0000000c0bc0a0000aaafSAMPLE"
    },
    "requestID": "294308c0-7617-4727-b5c9-34eaf75aa8e3",
    "eventID": "273708f7-5fbb-3a90-b04d-2b3138bf0ec9",
    "readOnly": false,
    "resources": [
        {
            "accountId": "111122223333",
            "type": "AWS::KMS::Key",
            "ARN": "arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-123456SAMPLE"
        }
    ],
    "eventType": "AwsApiCall",
    "managementEvent": true,
    "recipientAccountId": "111122223333",
    "sharedEventID": "b46377d7-b3c3-4bfd-a257-722bd3f3411d",
    "eventCategory": "Management"
}

建立涉及加密 Glue AWS 目錄的 Data Lake 環境

在進階使用案例中,當您使用加密的 AWS Glue 目錄時,您必須授予 Amazon DataZone 服務的存取權,才能使用客戶管理的 KMS 金鑰。您可以透過更新自訂 KMS 政策並將標籤新增至金鑰來執行此操作。若要授予 Amazon DataZone 服務的存取權,以使用加密 Glue AWS 目錄中的資料,請完成下列操作:

  • 將下列政策新增至您的自訂 KMS 金鑰。如需詳細資訊,請參閱變更金鑰政策

    JSON
    {
    "Version": "2012-10-17"		 	 	 ,
    "Statement": [
        {
            "Sid": "Allow datazone environment roles to decrypt using the key",
            "Effect": "Allow",
            "Principal": {
                "AWS": "*"
            },
            "Action": [
                "kms:Decrypt"
            ],
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "kms:EncryptionContext:glue_catalog_id": "<GLUE_CATALOG_ID>"
                },
                "ArnLike": {
                    "aws:PrincipalArn": [
                        "arn:aws:iam::111122223333:role/*datazone_usr*",
                        "arn:aws:iam::444455556666:role/*datazone_usr*"
                    ]
                }
            }
        },
        {
            "Sid": "Allow datazone environment roles to describe the key",
            "Effect": "Allow",
            "Principal": {
                "AWS": "*"
            },
            "Action": [
                "kms:DescribeKey"
            ],
            "Resource": "*",
            "Condition": {
                "ArnLike": {
                    "aws:PrincipalArn": [
                    "arn:aws:iam::111122223333:role/*datazone_usr*",
                    "arn:aws:iam::444455556666:role/*datazone_usr*"
                    ]
                }
            }
        }
    ]
}
    重要

    • 您必須使用您要建立環境的帳戶 IDs來修改政策中的 "aws:PrincipalArn" ARNs。您要建立環境的每個帳戶,都必須在政策中列為 "aws:PrincipalArn"

    • 您還必須將 <GLUE_CATALOG_ID> 取代為 Glue AWS 目錄所在的有效 AWS 帳戶 ID。

    • 請注意,此政策會授予對指定帳戶中所有 Amazon DataZone 環境使用者角色 (Amazon DataZone) 使用金鑰的存取權。如果您只想允許特定環境使用者角色使用 金鑰,則必須指定整個環境使用者角色名稱 arn:aws:iam::<ENVIRONMENT_ACCOUNT_ID>:role/datazone_usr_<ENVIRONMENT_ID>(例如,<ENVIRONMENT_ID> 是環境的 ID),而不是萬用字元格式。

  • 將下列標籤新增至您的自訂 KMS 金鑰。如需詳細資訊,請參閱使用標籤控制對 KMS 金鑰的存取

    
key: AmazonDataZoneEnvironment
value: all